fail2ban configuration in Fedora/RHEL

The configuration files in Fedora20 for fail2ban are located in the /etc directory under /etc/fail2ban/
with further sub-directories for actions, filters and jails.

drwxr-xr-x.   2 root 4.0K May 16  2014 action.d
drwxr-xr-x.   2 root 4.0K Mar 19  2014 fail2ban.d
drwxr-xr-x.   2 root 4.0K May 16  2014 filter.d
drwxr-xr-x.   2 root 4.0K Mar 19  2014 jail.d
-rw-r--r--.   1 root 2.1K Mar 14  2014 fail2ban.conf
-rw-r--r--.   1 root   33 Dec 10 00:16 fail2ban.local
-rw-r--r--.   1 root  14K Dec 10 01:06 jail.conf
-rw-r--r--.   1 root  16K Dec 10 00:54 jail.conf.rpmnew
-rw-r--r--.   1 root  805 Dec 10 07:48 jail.local
-rw-r--r--.   1 root 1.5K Mar 14  2014 paths-common.conf
-rw-r--r--.   1 root  606 Mar 14  2014 paths-debian.conf
-rw-r--r--.   1 root  649 Mar 14  2014 paths-fedora.conf
-rw-r--r--.   1 root 1.2K Mar 14  2014 paths-freebsd.conf
-rw-r--r--.   1 root  290 Mar 14  2014 paths-osx.conf

NOTE: In order to preserve your edits and customizations you should create separate *.local files, as the normal *.conf files (may) get overwritten during an upgrade. The *.local files take precedence over the *.conf files as the former are parsed after the latter. In *.local files specify only the settings you would like to change and the rest of the configuration will then come from the corresponding *.conf file which is parsed first.

sendmail Notifications

If you’d like to be notified every time fail2ban blocks an ipaddress from ssh access, for example, edit/create the /etc/fail2ban/jail.local file and append the following lines:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

Since the [ssh-iptables] section wasn’t included in the jail.conf file by default (on my system, at least), I’ve added the entire section to the jail.local file; whereas, if it had been, I would’ve only added the lines I’d want to change.
All entries are separated by sections/headers enclosed in square brackets; the lines that follow then are applicable for that section until the next [section name].

enabled = true
“enabled” enables the jails.
By default all jails are disabled, and it should stay this way. Enable only those jails relevant to your setup in your .local or jail.d/*.conf files.

  • true: jail will be enabled and log files will get monitored for changes
  • false: jail is not enabled

filter = sshd

refers to the .conf file in /etc/fail2ban/filter.d/, which contains the rules (regex expressions, etc) that fail2ban uses to find matches in the log files.

action =

Each jail can be configured with only a single filter, but may have multiple actions. For those name items (e.g. action) that can accept multiple values (e.g. iptables, sendmail), specify the values separated by spaces, or in separate lines space-indented at the beginning of the line before the second value; therefore, mind the tabs at the beginning of the “sendmail…” line. 

action = iptables[...]
         sendmail-whois[..]

By default, the name of an action is the action filename in /etc/fail2ban/action.d/, and in the case of Python actions, the “.py” file extension is stripped. The action option refers to the steps that fail2ban will take to e.g. ban an IP address matching the options in the specified filter.

iptables[name=SSH, port=ssh, protocol=tcp]

name=, port=, and protocol= are the options in the /etc/fail2ban/action.d/iptables.conf file that you’d like to change or specify. Action files have two sections, Definition and Init. The “Init” section enables action-specific settings which can be overridden for a particular jail as options of the action’s specification in that jail.


firewalld

With the recent versions of Fedora and RHEL the default firewall program is firewalld. The Fedora Wiki has some useful configuration options listed for fail2ban with firewalld, such as changing the default default banaction to firewallcmd-ipset. Simply add the following to the beginning of the DEFAULT section in your jail.local file: 

banaction = firewallcmd-ipset
There are also configuration files in the action.d subdirectory for firewallcmd-ipset.conf and firewallcmd-new.conf. Additional info can be viewed and trucked in this bug-report.

Popular posts from this blog

Password Policy in RHEL 7

In Red Hat Enterprise Linux 7, the pam_pwquality PAM module replaced pam_cracklib, which was used in Red Hat Enterprise Linux 6 as a default module for password quality checking. It uses the same back end as pam_cracklib.
The code was originally based on pam_cracklib module, and the module is backwards compatible with its options.

The pam_pwquality module can be customized and configured in the file /etc/security/pwquality.conf. The possible options in the file are: difok Number of characters in the new password that must not be present in the old password. (default 5)

minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9)

dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. (default 1)

ucredit T…
Read more

Centos 7 pulseaudio

Image
Centos 7 doesn't come with an option for `awesome-wm` installation.  Therefore, the only way to make use of this light-weight tiling manager one has to enable Fedora 19 repo or build the package from source.  For the Fedora 19 repo approach, see:

https://gist.github.com/ILMostro/1909a50e1858d0ee7e10

To use without GDM, GNOME's display manager, and without gnome services, one has to be aware of certain shortcomings that the gnome-services provide by default.  One such shortcoming is the lack of built-in Sound and Volume management.  Never fret, though, as there is a solution; namely, the PulseAudio-focused tools pavucontrol and pavumeter.  These packages are available from the "nux-desktop" repository available at at http://li.nux.ro/repos.html .
nux-desktop My unofficial, as-is, not for profit RPM repositories for EL (RHEL, CentOS, ScientificLinux etc): These repos may or may not be up to date or behave the way you expect them to; use them at your OWN RISK!

Some of…
Read more

wpa_supplicant and wifi in RHEL 7

If you have a desktop environment set up in Red Hat Enterprise Linux 7, chances are that you might have GNOME installed as it is the "default".  NetworkManager is pulled in as a dependency package of GNOME and it's integrated into gnome-shell in the top panel as a widget.  While NetworkManager is a great tool as it consolidates many different networking tools and facilitates the network configuration for many different use-cases, there might be instances where its broad reach becomes an obstacle rather than a benefit to system administrators.  One such instance is when dealing with network bridging.

Recently I was trying to set up a network bridge on my laptop, as it's equipped with a wifi adapter and an ethernet adapter, in order to dedicate the ethernet interface to a virtual machine in Red Hat 7--or at least to "share" it.  Bridged networking (also known as physical device sharing) is used to dedicate a physical device to a virtual machine. 
So, since w…
Read more